[whatwg] Please disallow "javascript:" URLs in browser address bars
Brett Zamir
brettz9 at yahoo.com
Thu Jul 22 21:45:49 PDT 2010
On 7/23/2010 6:35 AM, Luke Hutchison wrote:
> On Thu, Jul 22, 2010 at 5:39 PM, Boris Zbarsky<bzbarsky at mit.edu> wrote:
>
>> I can see the security benefits of disallowing all cross-origin application
>> of javascript: (if you don't know where it came from, don't apply it).
> Yes, that is actually a really good way to put things -- javascript
> typed into the URL bar is cross-origin. (And dragging bookmarklets to
> the address bar or bookmarks bar is also cross-origin, that's the
> reason that a security check should be applied and/or user warning
> given.)
>
> Facebook already disallows the execution of arbitrary js code on a fan
> page, of course, which is why these viruses require you to manually
> copy/paste into the addressbar.
In whatever security mechanism is worked out, besides preserving the
ability for people to be able to use the URL bar for potentially
privileged bookmarklets if they wish (even if they must give permission
after receiving a specific warning), I would actually like to see the
privileges available to bookmarklets expanded, upon explicit warnings
and user permission. For example, it would be of enormous use to be able
to link someone to a specific site, while manipulating the view of that
page such as to mash over the data with tooltips mash down some data
from it to a smaller set, mash up the data with additional notes/sources
(whether from other sites or text found on the source page), or mash
under the data with semantic markup changes or highlighting of specific
text.
I know this is absolutely dangerous, but if people can install
extensions which can wipe out hard-drives with a two clicks and a
restart (and thank God that such power exists in browsers like Firefox
so people can make extensions which do access the file system for
positive uses), there should be a way, such as with dead-serious
warnings (and I'll concede disallowing https), that people can mash an
existing source and still work in its scope (just as I think there
should be the ability to run cross-domain Ajax after getting user
permission). Greasemonkey is great, but it would be nice for there to be
a standard, especially for uses as referring people immediately to a
specific subset of content on another page.
Brett
More information about the whatwg
mailing list